Snort mailing list archives
Re: Snort+flexresp
From: "Anton A. Chuvakin" <anton () chuvakin org>
Date: Tue, 2 Apr 2002 09:41:49 -0500 (EST)
Jeff and others,
Thanks for the packet dumps. Could you instead store them in pcap format?
I have exact same problem! Here is the story:
-------------------------
So, for the dump below: "fw" and "anton" are two RedHat i386 7.2 boxes,
"fw" runs snort 1.8.4 (build 99, from RPMs, with flexresp). I modified
the signature below (for tests) to read (all other configs - default!!):
--------------------
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
access"; flags: A+; content:"cmd.exe"; resp: icmp_all,rst_all; nocase;
classtype:web-application-attack; sid:1002; rev:2;)
--------------------
and then use Lynx on "anton" to get cmd.exe (big zeroed file) file from
"fw". And it works fine (see the dump below) - snort produces an alert and
all the packets are sent.
------------------------------------------------------
17:53:43.309995 anton.56796 > fw.http: S 1893212406:1893212406(0) win 5840 <mss 1460,sackOK,timestamp 35455186
0,nop,wscale 0> (DF) [tos 0x10]
17:53:43.310282 fw.http > anton.56796: S 1900591890:1900591890(0) ack 1893212407 win 5792 <mss 1460,sackOK,timestamp
165254566 35455186,nop,wscale 0> (DF)
17:53:43.310321 anton.56796 > fw.http: . ack 1 win 5840 <nop,nop,timestamp 35455186 165254566> (DF) [tos 0x10]
17:53:46.347937 anton.56796 > fw.http: P 1:15(14) ack 1 win 5840 <nop,nop,timestamp 35455490 165254566> (DF) [tos 0x10]
17:53:46.348203 fw.http > anton.56796: . ack 15 win 5792 <nop,nop,timestamp 165254870 35455490> (DF)
17:53:46.349880 fw.http > anton.56796: . 1:1449(1448) ack 15 win 5792 <nop,nop,timestamp 165254870 35455490> (DF)
17:53:46.349897 anton.56796 > fw.http: . ack 1449 win 8688 <nop,nop,timestamp 35455490 165254870> (DF) [tos 0x10]
17:53:46.351116 fw.http > anton.56796: . 1449:2897(1448) ack 15 win 5792 <nop,nop,timestamp 165254870 35455490> (DF)
17:53:46.351165 anton.56796 > fw.http: . ack 2897 win 11584 <nop,nop,timestamp 35455490 165254870> (DF) [tos 0x10]
17:53:46.351610 fw.http > anton.56796: R 1:1(0) ack 15 win 0
17:53:46.351686 fw > anton: icmp: net fw unreachable
17:53:46.351763 fw > anton: icmp: host fw unreachable
17:53:46.351839 fw > anton: icmp: fw tcp port http unreachable
17:53:46.353082 fw.http > anton.56796: P 2897:4345(1448) ack 15 win 5792 <nop,nop,timestamp 165254870 35455490> (DF)
17:53:46.353098 anton.56796 > fw.http: . ack 4345 win 14480 <nop,nop,timestamp 35455491 165254870> (DF) [tos 0x10]
17:53:46.354314 fw.http > anton.56796: . 4345:5793(1448) ack 15 win 5792 <nop,nop,timestamp 165254870 35455490> (DF)
17:53:46.354332 anton.56796 > fw.http: . ack 5793 win 17376 <nop,nop,timestamp 35455491 165254870> (DF) [tos 0x10]
-------------------------------------------------------
However, it has NO effect on the connection whatsoever. Do you have any
insights on that? My guess is that RST arrives late and doesn't cancel the
connection and ICMP's have no effect on the ongoing connections, but I
suspect I am wrong.
I can email binary dumps upon request.
Best,
--
Anton A. Chuvakin, Ph.D.
http://www.chuvakin.org
http://www.info-secure.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort+flexresp Jeff Nathan (Apr 02)
- Re: Snort+flexresp Onie Camara (Apr 02)
- Re: Snort+flexresp Jeff Nathan (Apr 02)
- Re: Snort+flexresp Anton A. Chuvakin (Apr 02)
- Re: Snort+flexresp Onie Camara (Apr 02)
- Re: Snort+flexresp Jeff Nathan (Apr 02)
- Re: Snort+flexresp Onie Camara (Apr 02)